Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Communications Open Source Security Cloud Crime Databases Government Microsoft Privacy Software The Almighty Buck The Internet News Your Rights Online

Outdated and Vulnerable WordPress, Drupal Versions Contributed To Panama Papers Breach (wptavern.com) 155

An anonymous reader quotes a report from WordPress Tavern: Authorities have not yet identified the hacker behind the Panama Papers breach, nor have they isolated the exact attack vector. It is clear that Mossack Fonseca, the Panamanian law firm that protected the assets of the rich and powerful by setting up shell companies, had employed a dangerously loose policy towards web security and communications. The firm ran its unencrypted emails through an outdated (2009) version of Microsoft's Outlook Web Access. Outdated open source software running the frontend of the firm's websites is also now suspected to have provided a vector for the compromise. Forbes has identified outdated WordPress and Drupal installations as security holes that may have led to the data leak. [WordPress Tavern Editor Sarah Gooding] found that the firm's WordPress-powered site is currently running on version 4.1 (released in December 2014), based on its version of autosave.js, which is identical to the autosave.js file shipped in 4.1. The main site is also loading a number of outdated scripts and plugins. Its active theme is a three-year-old version of Twenty Eleven (1.5), which oddly resides in a directory labeled for /twentyten/. The Mossack Fonseca client portal changelog.txt file is public, showing that its Drupal installation hasn't been updated for three years. Since the release of version 7.23, the software has received 25 security updates, which means that the version it is running includes highly critical known vulnerabilities that could have given the hacker access to the server.
This discussion has been archived. No new comments can be posted.

Outdated and Vulnerable WordPress, Drupal Versions Contributed To Panama Papers Breach

Comments Filter:
  • Medal winner? (Score:4, Insightful)

    by Lead Butthead ( 321013 ) on Wednesday April 06, 2016 @07:34PM (#51857197) Journal

    We should give that person a medal for handing those dox to the press...

  • by jafiwam ( 310805 ) on Wednesday April 06, 2016 @07:39PM (#51857223) Homepage Journal

    Every law firm I have ever had tangential contact in an IT role has always been stupid cheap cheap cheap and self-righteous and arrogant about it. I don't do business with law firms just because of the headaches they cause friends and acquaintances about not paying, wanting the moon for a buck, etc.

    A breach like this is not an unexpected result.

    • It's the same in government, excepting the NSA of course. They all skimp out on IT and most of them get hacked in the end. Look at State and OPM. Face it, the pay scale is broken for IT. Government is having issues- schools don't like to think they need to pay IT more than administrators, FBI doesn't want to pay IT more than agents. So they all have lousy IT tech.
      • by Anonymous Coward

        "pay scale is broken for IT" That's why the government relies on expensive 3rd party firms for the development and support. Highly paid contractors staff the vast majority of government related systems. Working on the security and military related systems pays really well.

        And all of the really big hacks we hear about today can be placed squarely on the shoulders of the IT system administrators. Atrocious firewall configurations, bad network appliances configurations, and failure to apply security patches as

    • I doubt though that it was a hack, it suspect it might as well be an insider. I mean, it would be so much easier to fetch those 3TB as a employee or contractor than through the website (which as far as we know might not even be connected to the data trove).

    • by Gumbercules!! ( 1158841 ) on Wednesday April 06, 2016 @09:31PM (#51857737)
      You know, this is true in my experience, too. I've worked with 3 law firms in the past, one of who is actually massive, and they were all mind blowing cheapskates. One place we tried to get work from charges barristers out at something near $1,000 an hour - and refused to pay an IT company more than $50. They said that kind of work wasn't worth more than that. I literally walked out. Another place was involved in a Royal Commission (a very big deal in Australia) and they had a single, 7 year old server running Linux with Samba emulating an NT domain (for a totally Windows environment) not because they believe in Linux but because they wouldn't spring for a Windows Server license.
      • "they had a single, 7 year old server running Linux with Samba emulating an NT domain (for a totally Windows environment) not because they believe in Linux but because they wouldn't spring for a Windows Server license."

        Failing to see the fail here. Of course, if you mean 7-year old unpatched or orphaned software then you have a point. but samba on linux serving files to MS - it does that rather well.

        • by dwywit ( 1109409 )

          The word was "server" - i.e. hardware. Without redundancy or top-class backups, seven year-old hardware is a big enough risk, even if it was running modern, fully-patched, fully-hardened/paranoid software.

          • by Anonymous Coward

            You would be shocked to see something like that, but with all the drives that would provide redundancy failed.
            They didn't even attempt to erase the data when it was trashed.

        • Mossack Fonseca, the Panamanian law firm: "They hacked our what???? All that data is leaked? From corrupt world leaders and billionaires? Oh no no no no no...oh oh. OH FUCK here comes Wilfred Brimley!"

          Wilford Brimley: "Have a seat there, son."

      • My experience too with law firms and accountants. I have a feeling they hate paying by the hour.

        I wonder why ...
        • by tatman ( 1076111 )

          My experience too with law firms and accountants. I have a feeling they hate paying by the hour.

          But they sure don't mind charging by the hour (in 1/6 hr increments no less)

      • I know a lot of consultants that will not work for law firms for these reasons. And of the ones that do, they often expect to never get their last payment. They just build that into the billing... :)
    • Law firms are all about US vs THEM.

      Our client vs the other client. The partners vs the overworked minions that hope to be partners. The partners vs the Contractors. It is in their soul to think like that. And people that work for them end up thinking like that too.

      One corollary is the low quality of legal information available on the web vs the huge amount on software engineering on sites like stackexchange.

    • by tlhIngan ( 30335 )

      Every law firm I have ever had tangential contact in an IT role has always been stupid cheap cheap cheap and self-righteous and arrogant about it. I don't do business with law firms just because of the headaches they cause friends and acquaintances about not paying, wanting the moon for a buck, etc.

      Not just law firms, but doctors and accountants as well. Basically it's as if the degree on the wall means they're more intelligent than the rest of the world, and unless you have a comparable degree, you're an

    • by wbr1 ( 2538558 )
      I work for a small local IT firm. Many of our clients are law firms, including our largest client. That one is okay but demanding. The rest are exactly as states, cheap, will not take ownership of policy or user created issues, late with pay, etc.
    • by afidel ( 530433 )

      Having just started working for one of the biggest law firms in the world I have to say that they're not all cheap, we spend about the same per employee as my previous employer (~$14,000/year) which is average for all mid to large sized companies from the industry numbers I've seen.

  • "Authorities have not yet identified the hacker behind the Panama Papers breach", well it was the CIA/NSA.
    Look at the lack of US based names, so far there has been nothing but known criminals, on the other hand Russia, Pakistan, Iceland, UK have huge names outted.
    • "Authorities have not yet identified the hacker behind the Panama Papers breach", well it was the CIA/NSA. Look at the lack of US based names, so far there has been nothing but known criminals, on the other hand Russia, Pakistan, Iceland, UK have huge names outted.

      Reports I've seen said this is because basically this stuff is legal, or at least trivial, for US based people. Its a rigged system. No need to go offshore to have someone else do your dirty work.

      • these havens house nearly a quarter of all companies in existence on the planet. I find it highly suspicious that so far no one of significance form the US has been outed. Even Australia has 800 people identified in there. It seems of having being scrubbed before being released to the press.
        • by Anonymous Coward

          Outed as what though? "Look! Look! Microsoft has a massive shell corporation in Ireland!" No shirt, shitlock! The US government doesn't give a fuck about it, it's not secret, the only time it's illegal is when it's a personal bank account being used to hide income, and it's doubtful anyone needed some lawyer in Panama to open a bank account.

          • by Anonymous Coward
            you don't seem to understand what these shell companies are about. It isn't about hiding the wealth of large companies, these are shell companies with fake directors to hide the wealth of rich individuals to avoid paying tax in there home countries. I imagine the IRS most definitely would be highly interested as the US is one of the few countries that lays a claim on peoples earnings if they are US citizens EVEN if they no longer live in the country regardless of where they are earned.
            • by Morris von Habsburg ( 1977524 ) on Thursday April 07, 2016 @04:14AM (#51858789)

              But why would an American go to Panama if they can just go to Delaware?

              The people that use services in Panama do that because their local jurisdiction is on the ball w.r.t. tax evasion...

              • by Anonymous Coward
                Delaware doesn't allow you to hide your personal income from the IRS. Panama does. This law firm also has offices throughout the US so they definitely DO do business with a lot of rich US citizens.
              • But why would an American go to Panama if they can just go to Delaware?

                The people that use services in Panama do that because their local jurisdiction is on the ball w.r.t. tax evasion...

                Because Delaware information is visible to the IRS and Panama information is not.

                On the flip side, Delaware information is probably not visible in Panama so you'd probably find Panamanian politicians with accounts there.

              • because hiding your ownership of assets has a lot more effects and protection than what being in Delaware provides. Delware does not hide your details from the IRS, Delaware does not hide your assets from courts in case you are being sued and dragged through the courts over debts, delware does not hide your net worth from divorce lawyers that are demanding a 50-50 split. Basically it isn't just tax protection these people are seeking by hiding wealth, it is a general protection from all courts, agencies and
        • by dave420 ( 699308 )

          The US data will be released next week, apparently.

      • by Anonymous Coward
        so why then does this law firm have offices all around the US if they don't tend to deal with US people? perhaps more is coming but as it stands it is highly suspicious.
        • so why then does this law firm have offices all around the US if they don't tend to deal with US people?

          Do you consider US corporations to be US people, my friend? These offices may only have shell companies as clients as opposed to directly working with US citizens.

    • by Lead Butthead ( 321013 ) on Wednesday April 06, 2016 @08:26PM (#51857425) Journal

      The Russians goes on the offensive in the domestic media, accusing the dox were faked by CIA trying to smear his good name.
      The Chinese censors it in their domestic media.
      The Ice Lander protests and their Prime Minister resigns.

      • by houghi ( 78078 )

        And the Americans go 'Meh' and continue as before as they know nothing will come of it after the few first headlines.

        So what are the big US names involved? Or do they not need these kinds of structures as they have other ways of not paying taxes?

        • by monkeyxpress ( 4016725 ) on Thursday April 07, 2016 @07:42AM (#51859223)

          So what are the big US names involved? Or do they not need these kinds of structures as they have other ways of not paying taxes?

          Next week, apparently. The first round was just to get westerners interested in what would have otherwise been a bit of a flash in the pan 'revelation' that rich people don't pay tax. Most people wouldn't have been interested as the details are complex, and they would have figured such schemes are just part of being rich. The Chinese, Russian and Icelandic reactions to the news have succeeded in getting the common westerner's ears pricked up to the thought that this could be a very big scandal indeed.

          We will see what happens. I suspect David Cameron might be done next week. He is playing extremely strategic word games about his situation, and I can't see why he would bother being so meticulous unless he is concerned something has a good chance of coming out. I suspect he has a very big skeleton in his closet, and is being very careful to ensure he can only be labelled a hypocrite, not an outright liar.

    • by GuB-42 ( 2483988 )

      From a French journal, the possible reasons for the lack of US based names :
      - Mossack Fonseca is not the only player.
      - US taxation is lower than the average in OECD countries
      - FACTA
      - The US have their own tax heavens

  • I would hope that the web server is on a machine with its own internet connection that doesn't share ANYTHING with the internal corporate network besides perhaps a UPS. The less a website is linked to the better.
    I'm no web expert, but I have had this conversation over and over again with small to mid-sized business owners. First, assume your web server is going to get herpes. Make your next decision accordingly. Big companies with big budgets have more options.

  • Should have hired me instead, suckers!

  • I'm not surprised... (Score:5, Interesting)

    by __aaclcg7560 ( 824291 ) on Wednesday April 06, 2016 @07:48PM (#51857267)
    Keeping multiple WordPress websites up to date has become such a nuisance that I'm converting the older ones to static websites. Those 4,000+ hackers per day have nothing to hack at a static website and go away to find easier targets.
    • by Anonymous Coward

      No no no, you're supposed to make the whole thing world-writable so it can upgrade itself automatically!

    • Keeping multiple WordPress websites up to date has become such a nuisance

      I ran into this problem too. I wound up running InfiniteWP [infinitewp.com]. It's free. (Some of the additional features aren't free, but you don't need those.) You just install the InfiniteWP plugin on your WordPress sites and connect them up with the main InfiniteWP install. Then, you use InfiniteWP to install plugin/theme/WordPress updates on all of your servers.

  • by Ark42 ( 522144 ) <slashdot.morpheussoftware@net> on Wednesday April 06, 2016 @07:59PM (#51857305) Homepage

    How do you know if your WordPress or Drupal site is vulnerable? If the version number is greater than zero of course!

    Seriously. Unless all you need is a Geocities-type page with some static text and animated GIFs on the cheap, stay away from WordPress and Drupal!

    • Seriously. Unless all you need is a Geocities-type page with some static text and animated GIFs on the cheap, stay away from WordPress and Drupal!

      Not true! They can be used to generate static sites quite safely. :)

    • by Tablizer ( 95088 ) on Thursday April 07, 2016 @12:09AM (#51858219) Journal

      What's the alternative, roll-your-own CMS's? I've done those, and you are always re-inventing features that come standard or are pluggins in established CMS's as management/customers keep asking for new features.

      I've found security mistakes in my own code because of typical human error that inherently pops up when dealing with complexity. There may indeed be some security-thru-obscurity from DIY, but it just seems another form of gambling.

      I believe the best way to go is to outsource the basic CMS hosting and patching to an experienced vendor who is contractually obligated to patch timely, and verify that they do it via random spot checking.

      Because they run lots CMS instances, they should have the scripts and expertise to patch with some degree of economies-of-scale such that the expenses of timely patching shouldn't be too costly for them.

      Plus, they are likely to have somebody there Sunday at 3am to patch so that you don't have come in at 3am to patch yourself in order to keep the system up during normal hours.

      But, I don't have enough experience with that approach to render a final judgment. If anyone can recommend vendors who fit that bill based on experience, that would be great.

      • ...or just use something that was designed better in the first place, and ore secure by default... like Plone.

        -Matt

    • I run plenty of WordPress websites and they aren't too difficult to secure if you put a little effort into it. In this case, the big problem was that they didn't run updates. The site was running 4.1 instead of the latest version (4.4.2). It should have been updated long ago. (4.1.1 was released February 2015 and 4.2 was out in April 2015.) The same goes for plugins (which you should use as sparingly as possible since it not only increases security risks but can add to load time.) You can also install

    • Instead of just taking pot shots, can you suggest an alternative?

      Drupal is usually not the right solution for a "brochure" site. But, when done right, it can work very well as a portal for a more complex application, which is how it was being used in this case.

  • by tom229 ( 1640685 )
    This kind of puts to rest all those new world order conspiracy theories doesn't it? I mean, they can't be that brilliant if they can't even fucking update WordPress once a month. It's literally a calendar reminder to click a button.
    • ...and then the moment you click update, your site goes blank because the update changed the way WP/Drupal works. Either your theme or one of your plugins needs to be updated, and you'd better pray that the developer is still around and issuing updates. Otherwise, it's back to the drawing board as you try to figure out what exactly went wrong and how to fix it. I hope you're a coder skilled in tracing and bugfixing instead of an ordinary Wordpress user who installed the software because it was easy to do!
  • This public outing of Mossack Fonseca's pathetic computer security will have the unfortunate consequence of convincing the rest of the firms in that line of work to get more serious about their own. For those who want greater transparency in the world of tax havens this hack of Mossack Fonseca might be a wrench in the works.

    • by gweihir ( 88907 )

      Your comment is so stupid, it is staggering.

      • You don't understand that people are more likely to buy a fire extinguisher after watching the building next door burn down?
        • by gweihir ( 88907 )

          I am referring to the idea that bad IT security would mean "better transparency".

          • It clearly did in this case, not the first time ether.

            • by gweihir ( 88907 )

              No, it did not. It did point out a serious problem, but "transparency" is something else than getting a huge, unstructured and very likely incomplete data-dump to the press.

              • There are other forms of 'transparency', but this qualifies. All data is subject to manipulation. This data should not be accepted at face value, but no data should.

  • by PPH ( 736903 ) on Wednesday April 06, 2016 @09:37PM (#51857759)

    What the hell is sensitive client data doing on an Internet connected machine?

    • Air gaps aren't enough. The Iranian centrifuges were air gapped.

      • by PPH ( 736903 )

        The Iranian centrifuges were air gapped.

        Stuxnet was a one way payload. It only had to get on to the controllers. At Mossack Fonseca, the object was to get data back out.

  • So they were running essentially an automatic version of this guy [youtube.com]
  • Wordpress vulnerabilities - for once they're a help and not a hindrance.

  • by JustAnotherOldGuy ( 4145623 ) on Wednesday April 06, 2016 @10:30PM (#51857929)

    Bernie Sanders warned us about this back in 2011 or so...

    https://www.youtube.com/watch?... [youtube.com]

    Sanders made a speech on the Senate floor in October of 2011 that warned that a proposed trade agreement with Panama would open the floodgates of American money flowing into off-shore tax havens, a plea that ultimately fell on deaf ears as the agreement was signed by President Barack Obama later that year.

  • by aberglas ( 991072 ) on Wednesday April 06, 2016 @10:31PM (#51857935)

    I hope they catch them and throw the book at them. Life imprisonment at least.

    They have embarrassed more very powerful people than Snowden and Assange combined. This type of activity must be stopped.

    • You see, those rich people were hiding the money so terrorists wouldn't find it. But now that the terrorists know where the money is, the terrorists might take it and use it for terrorism. Have I said "terrorists/terrorism" enough times now to get you everyone against these hackers? Terrorism. Terrorism. Terrorism. Terrorists. Terrorism. Terrorism. How about how?

  • There apps are only as secure as the underlying Operating System and PLATFORM they run on, which in the case of WinTEL means not secure at all.
  • by gweihir ( 88907 ) on Wednesday April 06, 2016 @11:08PM (#51858031)

    With them optimizing profits, they probably had no money for IT security to spare. Save a million, lose a billion (or rather more in this instance). The fatal combination of greed and stupidity at its finest. Will not be the last instance of something this large happening due to non-understanding of IT security.

    When the first successful hack costs you everything, learning from experience is not a good strategy. Consulting and listening to some (admittedly expensive, but worth it) real experts may be a good idea.

    • by jafiwam ( 310805 )

      With them optimizing profits, they probably had no money for IT security to spare. Save a million, lose a billion (or rather more in this instance). The fatal combination of greed and stupidity at its finest. Will not be the last instance of something this large happening due to non-understanding of IT security.

      When the first successful hack costs you everything, learning from experience is not a good strategy. Consulting and listening to some (admittedly expensive, but worth it) real experts may be a good idea.

      It was stupid decision making not just money. Though being cheap had a big part to play.

      A law firm web site doesn't change fast enough or often enough to do anything more than a folder full of traditional HTML files, JavaScript, CSS and images.

      They could have used something like that and head off 99.99% of the potential problems.

      Someone probably heard WP was "easy" and it wasn't even an IT guy at all that set it up. The reality is, WP is about as much work and learning as getting up to speed on HTML and

      • WordPress can be easy, but that doesn't mean that you don't need to know anything about websites/security to run a site. Especially if your site is "protecting" information on huge financial transactions. For most people, not updating their WordPress site just means that some joker puts "Powned By Hakors" on it. Annoying but ultimately not a huge impact. The bigger your site, though, the more you can't just say "we'll use X because it's easy and won't think about anything else." This is true regardless

  • by tlambert ( 566799 ) on Wednesday April 06, 2016 @11:17PM (#51858069)

    Biggest contributor to Panama breach:

    People doing illegal things in the first place.

  • Not convinced (Score:4, Interesting)

    by El_Muerte_TDS ( 592157 ) on Thursday April 07, 2016 @12:44AM (#51858293) Homepage

    We're talking about 2.6TB of data here, 11.5 million documents, photos, scans, and emails created over a time span of 1970 til now, received in batches during a year.
    I highly doubt some external used an exploit in customer facing portals to download this many individual files.

    • by jafiwam ( 310805 )

      Law firms like to put all that stuff in a big database (or two.)

      Chances are someone got that, or backup files of it and just set the download to run slowly over a couple of weeks so nobody noticed network slowdown.

      You only gotta get it out once.

  • Why is customer account info on a WCMS? The public-facing stuff should be hosted separate from the private/internal stuff (like customer accounts) such that if your public WCMS is breached, the private stuff should be protected. There should be a fire-wall between the public host and the private customer data hosts/servers. You wouldn't put customer details on a public WCMS normally. Your public site is a sales-ish tool.

    For biz-to-biz transactions, typically a CRUD-centric tool would be used, not a WCMS.

    Tha

  • I suspect that there's going to be a sudden outbreak of spontaneous Polonium poisoning in Panama due to this leak.
  • Utter Horseshit! (Score:4, Insightful)

    by Anonymous Coward on Thursday April 07, 2016 @07:09AM (#51859117)

    1. Even in the highly unlikely scenario that Wordpress was installed on the same system as Outlook Web Access, it would not provide access to the Exchange email system.

    2. There is nothing wrong with "outdated 2009" Outlook Web Access. That would be either Excahange 2007 or more likely Exchange 2010. Both are still fully supported and do not suffer any egregious vulnerabilities that would allow co-installed Wordpress to access the Exchange Server.

    3. Encrypted email? Who the fuck does that? No one, that's who. Let's not bother with any pretentious or condescending horseshit. Probably half of the world's email sits on Exchange servers, corporate on-premise or Office365/Outlook.com/Hotmail... None of it is encrypted at rest. Despite the available option and Google's recent TLS push, SMTP is not generally not encrypted. So, email in flight is even more open than at rest. This is the way it is everywhere and is not a major security issue.

    4. The Panama Papers consist of 2.6 TERABYTES of data! Have you ever tried to push or pull that much data over the internet? It is a huge undertaking, even with very high speed connections. While technically possible, it is unlikely that that much data was siphoned off remotely, especially form slow-ass Exchange servers.

    This entire article is pure fantastical supposition and utter horseshit. 2.6TB of Exchange emails DID NOT come through any Wordpress exploit. This data almost certainly came from an inside source and was walked out on a USB external drive which itself would have taken over 36 hours to copy the data to.

    This "story" is utter horseshit. Just like the international outrage over legal financial activities. It's all manufactured nonsense.

  • So many servers run ancient versions of popular CMS packages and then wonder why their server constantly gets hacked.
    Heaven forbid they are running WHMCS on a box with other websites (quickest way to get rooted).

    It got so bad for us here, I had to write a script to scan customer servers just to find all of the outdated packages.
    It amazes me to read some of the reports, seeing sites running decade old software is not uncommon.

    Still is a battle to get people to actually update their sites once they have been

  • There is more technical details in this article [www.unicornriot.ninja].

    They are running a 2013 version of Drupal that is vulnerable to SQL injection (dubbed Drupalgeddon).

    They are also running an Oracle HTTP server too. That web server seems to be ignoring the .htaccess setup by Drupal, and returns back the entire code of the .module files, and listings of directories, and such.

    More interesting is how ICIJ setup their own collaboration around the documents using open source software, like VeraCrypt (fork of TruCrypt), Backlight (

  • This has a lot of detailed information about the problems with Mossack Fonseca client portal: http://www.unicornriot.ninja/?... [www.unicornriot.ninja] including the possibility of using the website vulns to get into Oracle.

You have junk mail.

Working...